🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Find out everything about the right to erasure in the GDPR

Home GDPR Find out everything about the right to erasure in the GDPR

We continue our series of articles devoted to the rights of people with the right to erasure. This article follows our 1 min video to understand everything from Monday May 16. Follow us on LinkedIn so you don't miss any news!  

Have an iced tea and off you go, we'll explain everything to you in 5 minutes!?  

 What are people's rights?  

Individual rights are addressed in Chapter 3 of the GDPR. Not all rights are systematically applicable to all processing, their application depends in particular on the legal basis of the processing in question.  

With our old articles and those to come, we explain the following rights to you:  

  • Right of access,  
  • Right of rectification,  
  • Right to object (and right to withdraw consent),  
  • Right to erasure,  
  • Right to portability.  

Understand everything about the right to erasure

The right to erasure, or right to be forgotten, is provided for in Article 17 of the General Data Protection Regulation. The exercise of this right allows any citizen, residing in the territory of a Member State of the European Union, to ask a data controller or subcontractor to erase personal data concerning them.  

This is particularly the case when the person concerned no longer wishes to use the various services offered by an online commerce site and requests the closure of their account as well as the erasure of all data associated with them.  

The right to be forgotten must be differentiated from the right to dereferencing according to which "the data subject may request the online search engine provider to remove one or more links to web pages from the displayed list of results following a search carried out using his or her name" (judgment of the Court of Justice of the European Union, May 13, 2014, "Costeja").  

The Council of State enshrined this right in December 2019 following two judgments of the Court of Justice of the European Union of September 24, 2019 (CJEU, September 24, 2019, aff. C-136/17 and C-507/17). The Council of State issues 13 judgments during which it sets the framework within which a search engine operator must, under the control of the CNIL, respect the right to dereferencing.  

 "The main principles of this framework are:  

  •  The judge rules taking into account the circumstances and the law applicable on the date on which he rules.  
  •  The delisting of a link associating in the name of an individual a web page containing personal data concerning him or her is a right.  
  •  The right to dereferencing is not absolute. A balance must be made between the applicant's right to privacy and the public's right to information.  
  •  The trade-off between these two fundamental freedoms depends on the nature of the personal data.  

 Three categories of personal data are concerned:  

  •  So-called sensitive data (the most intrusive data in a person's life such as those concerning their health, their sex life, their political opinions, their religious beliefs ...),  
  •  Criminal data (relating to legal proceedings or a criminal conviction),  
  •  Data relating to privacy without being sensitive.  

 The protection enjoyed by the first two categories is the highest: a dereferencing request can only be legally refused if access to sensitive or criminal data from a search of the requester's name is strictly necessary for public information. For the third category, it is sufficient that there is a preponderant public interest in accessing the information in question.  

The different parameters to take into account, beyond the characteristics of the personal data in question, are the social role of the requester (his notoriety, his role in public life and his function in society) and the conditions in which the data were been made public (for example, if the interested party has made this information public themselves) and otherwise remains accessible. " (Source: official website of the Council of State, news section, article of December 6, 2019 "Right to be forgotten: the Council of State gives instructions for use").  

This right to dereferencing complements, in terms of personal data accessible on the internet, the right to be forgotten. Data subjects must exercise this right with search engines in order not to obtain the deletion or anonymization of the web page containing the personal data from which they wish to obtain erasure but only to delete the link to the page concerned in search engine results. The page remains accessible, it will simply no longer appear in the list of results (for a specific list of keywords) of the search engine that accepted the request    

The right of erasure in this case should be exercised with the publisher of the website from which the web page concerned originates. Its exercise, if accepted by the site editor, will result in the deletion of identifying information.  

It should be noted that the right of erasure goes beyond the restricted scope of data published via the internet and may concern many other processing operations under the conditions set out below.  

 The conditions to be respected to exercise the right to erasure  

The right to erasure of personal data is not an absolute right. According to the provisions of Article 17 of the GDPR, the right to erasure applies in a limited number of cases, when:  

  • The data is no longer necessary for the purposes pursued by the processing;  
  • The data subject withdraws the consent on which the processing is based and that there is no other legal basis for the processing;  
  • The data subject exercises his or her right to object and there are no compelling legitimate grounds to enable the controller to continue the processing, or the request relates to commercial prospecting processing;  
  • Personal data is subject to unlawful processing;  
  • The data must be deleted to comply with a legal obligation provided for by European Union law or that of the Member State to which the controller is subject;  
  • The data was collected, on the basis of consent, as part of a service offering intended for minors.  

 Limits to the right to erasure  

The right to erasure is limited in certain cases. Thus, it must not conflict with:  

  • Compliance with a legal obligation, provided for by the law of the European Union or the Member State to which the data controller is subject;  
  • Exercise of the right to freedom of expression and information;  
  • The execution of a mission of public interest or a mission carried out within the framework of the exercise of public authority vested in the data controller;  
  • Carrying out scientific, historical or archival research;  
  • The use of data in the public interest, particularly in the health sector;  
  • The establishment, exercise or defense of legal rights.  

The data controller may refuse to comply with a deletion request by relying on one of the hypotheses listed above.  

 Data Comply One (formerly Mission RGPD) and the right to erasure  

You do not have time? You are lost? Are you having trouble managing your compliance and more specifically people's rights?  

Inform data subjects of their rights in a privacy policy. With Data Comply One (formerly Mission GDPR) you have a privacy policy template ready to use. Complete this policy to adapt it to the situation of your organization. Then make it accessible to people, on your website for example.  

Manage your compliance with ease and peace of mind!  

Request your demo
Other articles
on the same subject